revocation certificates

anon90140984 · July 26, 2013, 6:39pm

The Kleopatra manual says :

“When OpenPGP certificates have been exported to a public directory server, it is nearly impossible to remove them again. Before exporting your certificate to a public directory server, make sure that you have created a revocation certificate so you can revoke the certificate if needed later.”

But I cannot find any mention of how to make such a certificate. The GpG4win Compendium also refers to CRL’s revocation lists but doesn’t say how to make a revocation certificate.

Maybe I missed a vital clue somewhere but could someone please tell me how prepare a revocation certificate using Kleopatra or otherwise ?

anon90979041 · August 18, 2013, 4:28pm

In the command prompt:

C:\Users\Owner>gpg -o revocation_cert.asc --gen-revoke sample@gmail.com

sec 2048R/GHU8Y7R 2013-01-01 John Q. Public sample@mail.com

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:

Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: “John Q. Public sample@mail.com”
2048-bit RSA key, ID GHU8Y7R, created 2013-01-01

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!

C:\Users\Owner>

anon90140984 · August 19, 2013, 4:48pm

Thanks for this info. I take it that revocation certificates must be made from the command line and cannot be generated through Kleopatra.

anon8168267 · August 19, 2013, 5:03pm

yes thanks, this info is interesting, but more generally, where can we find info about command lines functions ?

anon63938304 · August 19, 2013, 5:52pm

Try this web page:

http://www.spywarewarrior.com/uiuc/gpg/gpg-com-4.htm#toc

anon90979041 · August 19, 2013, 6:37pm

Just checked and I could not find a way to generate a revocation certificate through either Kleopatra or Gnu Privacy Assistant. Looks like the command line is the only option here.

anon8168267 · August 20, 2013, 8:07am

Thanks Greg

anon55078061 · February 13, 2014, 11:30am

Although the command “gpg -o revocation_cert.asc --gen-revoke walmac@lineone.net” worked perfectly, I found that I had to enter the directory in which gpg.exe was situated, ie"C:\program files\GNU\gnupg" and not the entry in “C:\users\walmac\appdata\roaming”.

I am using Win 7 so that may be the difference.

anon90140984 · February 13, 2014, 4:46pm

A small update on the generation of revocation certificates using a gui - enigmail’s key manager has an easy to use interface and allows generation of revocation certs either when a new key pair is made or later.